Enabling Apache SSL
OpenBSD has Apache mod SSL enabled by default, but to activate https://
you must manually create or purchase an SSL certificate. Three certificate authorities are VeriSign
, and GoDaddy
. Godaddy has a one-year free SSL certificate
for qualifying open source projects.
The following is a nearly verbatim outline of the steps necessary to create a self-signed certificate from the OpenBSD https FAQ:
// generate a certificate that does not require a passphrase
$ sudo openssl genrsa -out /etc/ssl/private/server.key 2048
// generate a Certificate signing request following the onscreen prompts
$ sudo openssl req -new -key /etc/ssl/private/server.key -out /etc/ssl/private/server.csr
// Note: It is necessary to pay a third-party certificate authority to verify your certificate.
// self-sign the certificate (becoming your own authority) [Note: A warning prompt will display if this is used on
the public www. This type of certificate is useful for computer-to-computer authentication across a LAN.].
$ sudo openssl x509 -req -days 730 -in /etc/ssl/private/server.csr -signkey
/etc/ssl/private/server.key -out /etc/ssl/server.crt
// edit /etc/rc.conf.local to startup Apache with SSL
$ sudo vi /etc/rc.conf.local
// add the following to the httpd_flags=""
// restart Apache
$ sudo apachectl stop
$ sudo apachectl start
Now you are able to serve https:// requests across port 443. Test this out and notice the warnings about the self-signed certificate:
// test https:// with lynx
$ lynx https://127.0.0.1
// and test https:// from across your LAN or from a fully qualified domain name
https://192.168.1.16 or https://your.fullyqualifieddomainname.com
Perhaps the single most important contribution the OpenBSD team has given to the world is OpenSSH. OpenSSH is a method of encrypting data for secure network file transfer. OpenSSH uses a client/server model and controls configuration with two main files:
- /etc/ssh/sshd_config (server parameters)
- /etc/ssh/ssh_config (client parameters)
While the defaults are perfectly fine for a first-boot setup, I recommend a few post-install changes:
- Edit sshd_config by changing the default #PermitRootLogin yes to PermitRootLogin no.
- Create a custom banner for the Secure Shell (ssh) login and place your custom login message on it:
$ sudo vi /etc/ssh/banner.txt
- Restart the OpenSSH daemon as follows:
$ sudo kill -HUP 'cat /var/run/sshd.pid'
- For extra control of logins, use public and private key authentication. Read the manual pages for more details, and alter the OpenSSH configuration files to suit your privacy needs:
$ man sshd
At this point, you may be wondering why OpenSSH root logins are enabled by default. Imagine trying to do a headless remote network install without root access and you will have your answer.
To log in to your OpenBSD-powered computer console over the network, use ssh:
$ ssh username@ipaddress
// for example ssh firstname.lastname@example.org
// The password is the users password.
To transfer files over the network, use the Secure File Transfer Protocol (sftp):
- Edit /etc/sshd_config by adding the line AllowUsers puffy.
- Activate the secure file transfer protocol:
$ sftp username@ipaddress
- Get a file from the remote machine:
$ get file1.txt
- Put a file on the remote machine:
$ put file2.txt
To transfer folders across the network, use the Secure Copy Program (scp). For example, the following code would send an entire folder named desktopfolder from your desktop computer to the home directory of the user you created on your OpenBSD server machine:
$ scp -r desktopfolder puffy@servername:/home/puffy/
Use only the particular functionality that you require for your particular PHP applications. If you do want to expand the PHP server's functionality, you can find more PHP5 extensions in the OpenBSD packages collection under PHP5:
- Image manipulation graphic digest extensions for php5:
$ sudo pkg_add -v php5-gd-5.2.6-no_x11.tgz
- Curl URL library extensions for php5:
$ sudo pkg_add -v php5-curl-5.2.6.tgz
- Imap, pop3 and nntp email extensions for php5:
$ sudo pkg_add -v php5-imap-5.2.6.tgz
- Mcrypt encryption/decryption extensions for php5:
$ sudo pkg_add -v php5-mcrypt-5.2.6.tgz
- Mhash supports a wide variety of hash algorithms (including MD5, SHA1 and GOST):
$ sudo pkg_add -v php5-mhash-5.2.6.tgz
- Open Database Connectivity (ODBC) database access extensions for php5:
$ sudo pkg_add -v php5-odbc-5.2.6.tgz
- PostgreSQL database access extensions for php5:
$ sudo pkg_add -v php5-pgsql-5.2.6.tgz
- Simple Object Access Protocol (SOAP) functions for php5 and XML web services interaction:
$ sudo pkg_add -v php5-soap-5.2.6.tgz
- Cross-platform XML standards based distributed computing:
$ sudo pkg_add -v php5-xmlrpc-5.2.6.tgz
- Extensible Stylesheet Language (XSL):
$ sudo pkg_add -v php5-xsl-5.2.6.tgz